Online privacy regulations in the United States - statistics & facts
As of July 2023, the United States had several digital privacy regulations, which exist either on state level or covering very specific aspects of digital privacy. Examples include the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), the Colorado Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Children’s Online Privacy Protection Act (COPPA). Currently, the United States still lacks an extensive online privacy law that will regulate every aspect of data privacy nationwide.
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) manages the law enforcement actions for data privacy in the U.S. healthcare industry. In 2022, OCR imposed 22 fines against healthcare organizations in the United States, the highest number of cases since 2008. In the first half of 2023, the highest HIPAA penalty, 1.25 million U.S. dollars, was imposed on a non-profit health system, Banner Health. The organization encountered a cyber attack in 2016 that resulted in the exposure of sensitive information of approximately three million people. In the latest reported period, the first half of 2023, the overall amount of HIPAA settlements and monetary penalties was 1.98 million U.S. dollars.
Who regulates data privacy in the U.S. tech industry?
Despite the United States not having comprehensive data privacy legislation, there is one federal agency that deals with consumer data protection. The Federal Trade Commission (FTC) is the U.S. government agency that enforces the civil antitrust law and protection of consumer rights. The FTC takes law enforcement actions against companies that violate consumers’ privacy rights. When collecting user data, companies are required to keep it safe, and FTC checks whether they follow these policies.The Children’s Online Privacy Protection Act (COPPA)
In 1998, the United States Congress passed the Children’s Online Privacy Protection Act (COPPA). This law protects children’s online data and controls how websites and other online services handle that data. In 2000, the COPPA rule was enacted, regulating how the law should be implemented. The rule requires websites and online services to get parental consent before collecting the personal information of individuals under the age of 13. The U.S. Federal Trade Commission (FTC) manages the enforcement of the COPPA rule. As of August 2023, the highest fine for violating the Children’s Online Privacy Protection Act (COPPA) was incurred by Fortnite Maker Epic Games in December 2022 and amounted to 520 million U.S. dollars.Health Insurance Portability and Accountability Act (HIPAA)
The healthcare sector is one of the most vulnerable industries regarding data privacy. Healthcare institutions gather a massive amount of highly sensitive data, and if treated improperly, this data might be easily accessible for unauthorized third parties. In 2022, healthcare institutions in the United States reported 707 data breach incidents. This number refers to cases involving the exposure of more than 500 data records. Among the ways healthcare organizations lost sensitive data, hacking was the most common.The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) manages the law enforcement actions for data privacy in the U.S. healthcare industry. In 2022, OCR imposed 22 fines against healthcare organizations in the United States, the highest number of cases since 2008. In the first half of 2023, the highest HIPAA penalty, 1.25 million U.S. dollars, was imposed on a non-profit health system, Banner Health. The organization encountered a cyber attack in 2016 that resulted in the exposure of sensitive information of approximately three million people. In the latest reported period, the first half of 2023, the overall amount of HIPAA settlements and monetary penalties was 1.98 million U.S. dollars.
